Malware analysis Chew7.exe Malicious activity | ANY.RUN

Add for printing

File name:	Chew7.exe
Full analysis:	https://app.any.run/tasks/633c7f35-22ac-4433-8808-62049be1fa75
Verdict:	Malicious activity
Analysis date:	January 23, 2019, 05:53:25
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	7B232997942B2A5C7E4DBE931BB4C67C
SHA1:	06C6D3B5B66585F03BAB25C774BAADB575CB1515
SHA256:	0A88FAA27484C7C163BC90FBF806A9DAB84226C2F60F3410695278EE76D065F5
SSDEEP:	98304:6BkL7VOQCsDdOmYglo4Y14pygKq7VOQCsDdOmYglo4Y14pygK:6OLPLDVYglq1pqPLDVYglq1p

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (68.0.3440.106)
Google Update Helper (1.3.33.17)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - hale.exe (PID: 2580)
SUSPICIOUS
- Starts CMD.EXE for commands execution
  - hale.exe (PID: 2580)
  - cmd.exe (PID: 3692)
- Uses REG.EXE to modify Windows registry
  - cmd.exe (PID: 2852)
  - cmd.exe (PID: 3692)
  - cmd.exe (PID: 3480)
  - cmd.exe (PID: 3888)
  - cmd.exe (PID: 2708)
- Executable content was dropped or overwritten
  - Chew7.exe (PID: 3760)
  - hale.exe (PID: 2580)
- Application launched itself
  - cmd.exe (PID: 3692)
- Uses ICACLS.EXE to modify access control list
  - cmd.exe (PID: 3692)
- Uses TASKLIST.EXE to query information about running processes
  - cmd.exe (PID: 3692)
- Creates files in the Windows directory
  - Chew7.exe (PID: 3760)
- Uses TASKKILL.EXE to kill process
  - Chew7.exe (PID: 3760)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (43.2)
.exe	\|	Win64 Executable (generic) (16.2)
.exe	\|	UPX compressed Win32 Executable (15.9)
.exe	\|	Win32 EXE Yoda's Crypter (15.6)
.dll	\|	Win32 Dynamic Link Library (generic) (3.8)

EXIF

EXE

AssemblyVersion:	0.0.0.0
ProductVersion:	1.1.0.0
ProductName:	Chew7 v1.1
OriginalFileName:	Chew7.exe
LegalCopyright:	© Chew7. All rights reserved.
InternalName:	Chew7.exe
FileVersion:	0.6.8.4
FileDescription:	The Science of Activation
CharacterSet:	Unicode
LanguageCode:	Neutral
FileSubtype:	-
ObjectFileType:	Executable application
FileOS:	Win32
FileFlags:	(none)
FileFlagsMask:	0x003f
ProductVersionNumber:	1.1.0.0
FileVersionNumber:	0.6.8.4
Subsystem:	Windows GUI
SubsystemVersion:	4
ImageVersion:	-
OSVersion:	4
EntryPoint:	0x47c7fe
UninitializedDataSize:	-
InitializedDataSize:	108032
CodeSize:	4696576
LinkerVersion:	8
PEType:	PE32
TimeStamp:	2010:08:01 23:59:57+02:00
MachineType:	Intel 386 or later, and compatibles

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3324	"C:\Users\admin\Downloads\Chew7.exe"	C:\Users\admin\Downloads\Chew7.exe	—	explorer.exe
User: admin Integrity Level: MEDIUM Description: The Science of Activation Exit code: 3221226540 Version: 0.6.8.4
3760	"C:\Users\admin\Downloads\Chew7.exe"	C:\Users\admin\Downloads\Chew7.exe		explorer.exe
User: admin Integrity Level: HIGH Description: The Science of Activation Version: 0.6.8.4
2684	"C:\Windows\System32\taskkill.exe" /f /im cmd.exe	C:\Windows\System32\taskkill.exe	—	Chew7.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3040	"C:\Windows\System32\taskkill.exe" /f /im hale.exe	C:\Windows\System32\taskkill.exe	—	Chew7.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2580	"C:\Windows\system32\hale.exe"	C:\Windows\system32\hale.exe		Chew7.exe
User: admin Integrity Level: HIGH
3692	cmd /c ""C:\Users\admin\AppData\Local\Temp\3121.tmp\hale.cmd" "	C:\Windows\system32\cmd.exe	—	hale.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
2620	REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE	C:\Windows\system32\reg.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2748	FIND /I "HKEY_LOCAL_MACHINE\SOFTWARE\Chew7"	C:\Windows\system32\find.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Find String (grep) Utility Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2972	REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /f	C:\Windows\system32\reg.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3888	C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v CWInstalled	C:\Windows\system32\cmd.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)

Add for printing

Total events

463

Read events

453

Write events

Delete events

Modification events


(PID) Process:	(3760) Chew7.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 0
(PID) Process:	(3760) Chew7.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 1
(PID) Process:	(2580) hale.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 0
(PID) Process:	(2580) hale.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 1
(PID) Process:	—	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Chew7
Operation:	write	Name:
Value:
(PID) Process:	—	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Chew7
Operation:	write	Name:	LastAttempt
Value: install

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2580	hale.exe	C:\Users\admin\AppData\Local\Temp\3121.tmp\plat.cmd		text
		MD5:18E656CB3DD56AF78AC3C58C7018145A	SHA256:A18F490DFE451F8C14EAF07951292CC45318073DDBAC65B18831668F48D811B2
2580	hale.exe	C:\Users\admin\AppData\Local\Temp\3121.tmp\mtmp.cmd		text
		MD5:02D7EBAD35B5624A751243D101A540CE	SHA256:7686C1B97D3F80D042AAC35D82B5E5B558A494AE3E0E35DE81A47C413D9020AC
2580	hale.exe	C:\Users\admin\AppData\Local\Temp\3121.tmp\postw.cmd		text
		MD5:C794EC73494F3AEC4067E8BDC954B53F	SHA256:F646BCC720792EEF578FA4F6298A272FD43EC49CAD664D1D06F963B812D9F589
2580	hale.exe	C:\Users\admin\AppData\Local\Temp\3121.tmp\intv.cmd		text
		MD5:3AB983628DA0FD9F8AFD497D07F33D76	SHA256:97754BA105CD61128EBEF8AAB5272F669A72B64F44B6D861C8D507C088410A27
2580	hale.exe	C:\Users\admin\AppData\Local\Temp\3121.tmp\pendx.cmd		text
		MD5:3AF31A071967EC43A0AC6E3605FF1D8C	SHA256:A0197323DA44005AEC9726CABAEE9F1027FA07EB5367F3FCEAAD05E3728C0324
2580	hale.exe	C:\Users\admin\AppData\Local\Temp\3121.tmp\hash.cmd		text
		MD5:467B51F35949C5A3F722BA736CE920E4	SHA256:6C28FA6BF656B77085B464485FD085D4D6EEB7E3A0FF2DFF690DC813B492580C
2580	hale.exe	C:\Users\admin\AppData\Local\Temp\3121.tmp\hale.cmd		text
		MD5:6CE66570BFAB35A20D280D9833049E97	SHA256:C755237B5C58134FF21520F7D2D401E5C9AD40D05DC76FE317FFD238ECAFECF2
2580	hale.exe	C:\Users\admin\AppData\Local\Temp\3121.tmp\tick.cmd		text
		MD5:D32C42E48DDEE14FDDD78BAE6866CFC2	SHA256:7BA5AF7F29496E9C5EB780CD484623ECAF0443299EA9693261516DFB60401266
2580	hale.exe	C:\Users\admin\AppData\Local\Temp\3121.tmp\plog.cmd		text
		MD5:D638644C3BB80F1E98AE06FA85680EB1	SHA256:E8A990623424631496704087D29F05300BC5EFABB47C94FFE7F6BD46D803B587
2580	hale.exe	C:\Users\admin\AppData\Local\Temp\3121.tmp\lhed.cmd		text
		MD5:34670DB25D9AFD4F3912F77F2E5C7D08	SHA256:A4761B5A5F5E6542867BA1CAA87676410B7AEDCCD762826359046167771659FF

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected

Add for printing

No debug info

General Info

Chew7.exe

7B232997942B2A5C7E4DBE931BB4C67C

06C6D3B5B66585F03BAB25C774BAADB575CB1515

0A88FAA27484C7C163BC90FBF806A9DAB84226C2F60F3410695278EE76D065F5

98304:6BkL7VOQCsDdOmYglo4Y14pygKq7VOQCsDdOmYglo4Y14pygK:6OLPLDVYglq1pqPLDVYglq1p

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

SUSPICIOUS

Starts CMD.EXE for commands execution

Uses REG.EXE to modify Windows registry

Executable content was dropped or overwritten

Application launched itself

Uses ICACLS.EXE to modify access control list

Uses TASKLIST.EXE to query information about running processes

Creates files in the Windows directory

Uses TASKKILL.EXE to kill process

INFO

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings